Questions to be raised about the Recommendations 01/2020 on measures that supplement 


transfer tools to ensure compliance with the EU level of protection of personal data. 


1. Could you clarify which entities, beyond the imprecise denomination "exporter" and "importer", 
should adopt the proposed measures? The document seems to be aimed primarily at data exporters, 
understood as those controllers or processors actually transferring the data. This would exclude many 
data controllers who do not directly export the data, but whose service providers export the data. For 
example, in the case of a small company located in the EU that uses Google or Microsoft services and 
contracts with Google Ireland Limited or Microsoft Ireland Operations Limited, both located in the EU 
and exporting data to their subsidiaries or headquarters in the U.S., should we understand that the 
adoption of measures is the sole responsibility of these processing companies located in Ireland? 
What is the responsibility of the small company that uses the services mentioned above and is the 


controller of the data being transferred? 


2. In the above case, if the small business has to take the measures proposed in the document, it 
should be taken into account that compliance can be extremely costly for a small organization. 
Continuously analyzing the legal regime of third countries, more so when we talk about specialized 
regulations on surveillance and national security, may require the hiring of highly qualified personnel. 
As for the collaboration of importers, it is unrealistic to think that data importing entities will 
cooperate in a transparent manner when reporting possible incompatibilities in the legislations of 


the countries where they are located, as this may mean the loss of clients for them. 


3. If the small controller has to take these measures, it should be noted that its contractual relationship 
is with the company located in the EU (exporter of the data), not with the company located in the USA 
(importer of the data). In this sense, one must appreciate the real difficulty of entering into 
negotiations between the data controller and the data importer, since there is not even a 


contractual relationship between the two. 


4. Are there plans for the European Commission, the European Data Protection Board, the national 
authorities and the other public authorities of the European Union to carry out the regulatory 
investigation work they propose themselves, and for the benefit of EU organizations? It should be 
noted that the control of legality of the operations of a company in the EU must be developed by 


the public authorities of the EU. Transferring this control obligation to the companies’ clients 


(whether these consumers or other companies) implies a disproportionate burden and legal 


uncertainty that is not appreciated in other areas. 


5. Many essential technological services are offered by US companies and could be stopped in 
the absence of adequate additional measures to prevent access to data by US authorities. This may 
pose a problem for EU companies using these services, which may not be able to find alternative 
providers offering a similar level of protection as in Europe. Are measures planned at EU level to 
facilitate the proliferation of alternative technology services companies and to support 


procurement from them? 


